UDP Packet attack - IPS detection

jpugliese — Fri, 21 Feb 2020 12:34:10 GMT

Hi,

I have been having logs for Access-lists configured on an interface on my 6509. Can anyone advise please if I am understanding it correct that IP10.61.64.202 is responsible for bursting attacks on udp port. Many thanks in advance for providing insight.

Feb 20 13:58:15.709 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(50575) -> 10.54.131.255(7), 1 packet

Feb 20 13:58:23.901 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(61488) -> 10.54.131.255(7), 1 packet

Feb 20 13:58:23.901 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(61482) -> 10.54.131.255(7), 1 packet

Feb 20 13:58:23.901 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(61487) -> 10.54.131.255(7), 1 packet

Feb 20 13:58:45.865 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(59357) -> 10.54.131.255(7), 1 packet

Feb 20 13:59:15.981 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(55403) -> 10.54.131.255(7), 1 packet

Feb 20 13:59:46.193 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(56614) -> 10.54.131.255(7), 1 packet

Feb 20 14:00:23.962 AEDT: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 1 packet

Feb 20 14:00:23.962 AEDT: %SEC-6-IPACCESSLOGRP: list VC-COLO-OUTBOUND denied igmp 10.54.131.253 -> 224.0.0.1, 5 packets

Feb 20 14:00:52.610 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(58196) -> 10.54.131.255(7), 1 packet

Feb 20 14:01:05.194 AEDT: %SEC-6-IPACCESSLOGDP: list VC-COLO-INBOUND denied icmp 157.128.202.2 -> 10.54.131.253 (8/0), 1 packet

Feb 20 14:01:22.838 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(55329) -> 10.54.131.255(7), 1 packet

Feb 20 14:01:23.990 AEDT: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 7 packets

Feb 20 14:01:23.990 AEDT: %SEC-6-IPACCESSLOGRP: list VC-COLO-OUTBOUND denied pim 10.54.131.253 -> 224.0.0.13, 10 packets

Feb 20 14:01:23.990 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-OUTBOUND denied udp 10.54.131.253(1985) -> 224.0.0.2(1985), 111 packets

Feb 20 14:02:26.498 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(62934) -> 10.54.131.255(7), 1 packet

Feb 20 14:02:44.487 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(52203) -> 10.54.131.255(7), 1 packet

Feb 20 14:03:02.579 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(62834) -> 10.54.131.255(7), 1 packet

Feb 20 14:03:24.055 AEDT: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 3 packets

Feb 20 14:04:14.203 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.87(63295) -> 10.54.131.255(7), 1 packet

Feb 20 14:04:24.087 AEDT: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 1 packet

Feb 20 14:05:24.116 AEDT: %SEC-6-IPACCESSLOGRP: list VC-COLO-OUTBOUND denied igmp 10.54.131.253 -> 224.0.0.1, 5 packets

Feb 20 14:06:24.152 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(55344) -> 10.54.131.255(7), 1 packet

Feb 20 14:06:24.152 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(58203) -> 10.54.131.255(7), 1 packet

Feb 20 14:06:24.152 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(55343) -> 10.54.131.255(7), 1 packet

Feb 20 14:06:24.152 AEDT: %SEC-6-IPACCESSLOGDP: list VC-COLO-INBOUND denied icmp 157.128.202.2 -> 10.54.131.253 (8/0), 1 packet

Feb 20 14:06:24.152 AEDT: %SEC-6-IPACCESSLOGRP: list VC-COLO-OUTBOUND denied pim 10.54.131.253 -> 224.0.0.13, 10 packets

Feb 20 14:06:24.152 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(55347) -> 10.54.131.255(7), 1 packet

Feb 20 14:06:24.152 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(55338) -> 10.54.131.255(7), 1 packet

Feb 20 14:06:24.152 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-OUTBOUND denied udp 10.54.131.253(1985) -> 224.0.0.2(1985), 111 packets

Feb 20 14:06:24.152 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(58202) -> 10.54.131.255(7), 1 packet

Feb 20 14:08:22.433 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(58567) -> 10.54.131.255(7), 1 packet

Feb 20 14:08:24.213 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(54781) -> 10.54.131.255(7), 1 packet

Feb 20 14:08:52.513 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(56322) -> 10.54.131.255(7), 1 packet

Feb 20 14:09:15.821 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(63011) -> 10.54.131.255(7), 1 packet

Feb 20 14:09:33.421 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-OUTBOUND denied udp 10.54.131.241(138) -> 10.54.131.255(138), 1 packet

Feb 20 14:09:46.077 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(63027) -> 10.54.131.255(7), 1 packet

Feb 20 14:10:05.309 AEDT: %SEC-6-IPACCESSLOGDP: list VC-COLO-INBOUND denied icmp 157.128.202.2 -> 10.54.131.253 (8/0), 1 packet

Feb 20 14:10:24.278 AEDT: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 3 packets

Feb 20 14:10:24.278 AEDT: %SEC-6-IPACCESSLOGRP: list VC-COLO-OUTBOUND denied igmp 10.54.131.253 -> 224.0.0.1, 5 packets

Feb 20 14:10:53.738 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(50736) -> 10.54.131.255(7), 1 packet

Feb 20 14:11:24.310 AEDT: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 3 packets

Feb 20 14:11:24.310 AEDT: %SEC-6-IPACCESSLOGRP: list VC-COLO-OUTBOUND denied pim 10.54.131.253 -> 224.0.0.13, 11 packets

Feb 20 14:11:24.310 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-OUTBOUND denied udp 10.54.131.253(1985) -> 224.0.0.2(1985), 111 packets

Feb 20 14:12:24.338 AEDT: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 3 packets

Feb 20 14:12:42.370 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(49958) -> 10.54.131.255(7), 1 packet

Feb 20 14:13:04.623 AEDT: %SEC-6-IPACCESSLOGDP: list VC-COLO-INBOUND denied icmp 157.128.202.2 -> 10.54.131.253 (8/0), 1 packet

Feb 20 14:13:24.375 AEDT: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 3 packets

Feb 20 14:14:14.527 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.87(63844) -> 10.54.131.255(7), 1 packet

Feb 20 14:14:24.407 AEDT: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 1 packet

Feb 20 14:15:24.436 AEDT: %SEC-6-IPACCESSLOGRP: list VC-COLO-OUTBOUND denied igmp 10.54.131.253 -> 224.0.0.1, 5 packets

Feb 20 14:16:24.468 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(58846) -> 10.54.131.255(7), 1 packet

Feb 20 14:16:24.468 AEDT: %SEC-6-IPACCESSLOGRP: list VC-COLO-OUTBOUND denied pim 10.54.131.253 -> 224.0.0.13, 10 packets

Feb 20 14:16:24.468 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(60644) -> 10.54.131.255(7), 1 packet

Feb 20 14:16:24.468 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(64297) -> 10.54.131.255(7), 1 packet

Feb 20 14:16:24.468 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-OUTBOUND denied udp 10.54.131.253(1985) -> 224.0.0.2(1985), 110 packets

Feb 20 14:17:24.500 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(49355) -> 10.54.131.255(7), 1 packet

Feb 20 14:17:24.500 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(57310) -> 10.54.131.255(7), 1 packet

Feb 20 14:17:24.500 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(55738) -> 10.54.131.255(7), 1 packet

Feb 20 14:17:24.500 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(55936) -> 10.54.131.255(7), 1 packet

Feb 20 14:18:08.149 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(52177) -> 10.54.131.255(7), 1 packet

Feb 20 14:18:24.533 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(49959) -> 10.54.131.255(7), 1 packet

Feb 20 14:18:24.533 AEDT: %SEC-6-IPACCESSLOGDP: list VC-COLO-INBOUND denied icmp 157.128.202.2 -> 10.54.131.253 (8/0), 1 packet

Feb 20 14:18:24.533 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(49964) -> 10.54.131.255(7), 1 packet

Feb 20 14:18:24.533 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(49965) -> 10.54.131.255(7), 1 packet

Feb 20 14:18:53.249 AEDT: %SEC-6-IPACCESSLOGP: list VC-COLO-INBOUND denied udp 10.61.64.202(52185) -> 10.54.131.255(7), 1 packet